S0108 netsh
netsh is a scripting utility used to interact with networking components on local or remote systems. 1
| Item | Value |
|---|---|
| ID | S0108 |
| Associated Names | |
| Type | TOOL |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 17 January 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.007 | Netsh Helper DLL | netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.3 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.004 | Disable or Modify System Firewall | netsh can be used to disable local firewall settings.12 |
| enterprise | T1090 | Proxy | netsh can be used to set up a proxy tunnel to allow remote host access to an infected host.4 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | netsh can be used to discover system firewall settings.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0035 | Dragonfly | 6 |
| G0019 | Naikon | 7 |
| G0059 | Magic Hound | 8 |
| G0008 | Carbanak | 9 |
| G0050 | APT32 | 10 |
| G0032 | Lazarus Group | 11 |
References
-
Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017. ↩↩↩
-
Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016. ↩↩
-
Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017. ↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2017, February 8). Fileless attacks against enterprise networks. Retrieved February 8, 2017. ↩
-
Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. ↩
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩
-
Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. ↩
-
DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. ↩
-
Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016. ↩
-
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. ↩
-
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. ↩